From: Jung, Jin (jin.jung@lmco.com)
Date: Fri May 30 2003 - 09:14:08 GMT-3
R5 should be configured with ppp auth chap callin,
And r2 with ppp auth chap
Jin jung...
-----Original Message-----
From: Jason Cash [mailto:cash2001@swbell.net]
Sent: Thursday, May 29, 2003 8:31 PM
To: 'Brian Dennis'; ccielab@groupstudy.com
Subject: RE: ISDN PPP authentication
Good point, but then R5 did not request a callback:
R5
2d00h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
2d00h: BR0:1 PPP: Treating connection as a callout
2d00h: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
2d00h: Vi1 PPP: Treating connection as a callout
2d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state
to up
2d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1,
changed state to up
2d00h: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2
In looking at the solutions for this, which part is incorrect? Should R5
not have the 'ppp auth chap' or is R2 configured wrong. In other words, to
accomplish the task, how shiuld the two be configured?
By the way, this is IPE Section 22 - ISDN
-----Original Message-----
From: Brian Dennis [mailto:brian@labforge.com]
Sent: Thursday, May 29, 2003 6:07 PM
To: 'Jason Cash'; ccielab@groupstudy.com
You added the "ppp authentication chap" command which isn't a default. The
default is to be authenticated but not authenticate. If you don't want to be
authenticated then use the "ppp chap|pap refuse" command.
Try removing the "ppp authentication chap" command from R5 and see what
happens.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jason Cash
Sent: Thursday, May 29, 2003 1:44 PM
To: 'Brian Dennis'; ccielab@groupstudy.com
Subject: RE: ISDN PPP authentication
Being that it isn't stated how R5 should be treated in regard to
authentication, I left it at it's default, which it to challenge correct?
All that was instructed was for R2 to authenticate R5 ONLY when R5 calls R2.
I would think that 'ppp authentication callin' would accomplish this.
How does the provided solution solve the task? Wouldn't 'ppp authentication
callback' on R2 only have R2 authenticate R5 when R5 calls R2 on callback?
Maybe I am confusing this but is there a document that will explain this?
-----Original Message-----
From: Brian Dennis [mailto:brian@labforge.com]
Sent: Thursday, May 29, 2003 2:30 PM
To: 'Jason Cash'; ccielab@groupstudy.com
Jason,
Why do you have R5 authenticating R2? The task doesn't ask for R5 to
authenticate R2. Was that in another part of the practice lab?
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jason Cash
Sent: Thursday, May 29, 2003 10:44 AM
To: ccielab@groupstudy.com
Subject: ISDN PPP authentication
I am trying to complete a task that instructs:
Config R2 to authenticate R5 only when R5 calls R2.
The solution has R2 configured with:
R2
interface BRI0
ip address 110.99.25.2 255.255.255.192
encapsulation ppp
dialer callback-secure
ppp callback accept
ppp authentication chap callback
R5
interface BRI0
ip address 110.99.25.5 255.255.255.192
encapsulation ppp
ppp callback request
ppp authentication chap
In doing a debug PPP auth. Here is what I get: (Just for clarification, an
"I" means incoming and "O" is outbound correct) with 'ppp auth chap
callback' R2
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: I CHALLENGE id 45 len 23 from "r5"
BR0:1 CHAP: O RESPONSE id 45 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 45 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: I CHALLENGE id 46 len 23 from "r5"
BR0:1 CHAP: O RESPONSE id 46 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 46 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Vi1 PPP:
Treating connection as a callout
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5
R5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: O CHALLENGE id 45 len 23 from "r5"
BR0:1 CHAP: I RESPONSE id 45 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 45 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: O CHALLENGE id 46 len 23 from "r5"
BR0:1 CHAP: I RESPONSE id 46 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 46 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Vi1 PPP:
Treating connection as a callin
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2
As you can see, with the 'callback' option on R2, R5 is challenging R2 which
responds. R2 then calls R5 back and is challenged by R5 AGAIN. (Do you see
my confusion?) It appears that with the 'callback' on R2, R2 is not doing
any challenging, which would make sense as it is waiting for a callback from
R5 to challenge. This will never happen as R2 is the callback server.
-------------------------------------------------
with 'ppp auth chap callin'
Here is router 2:
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: O CHALLENGE id 27 len 23 from "r2"
BR0:1 CHAP: I CHALLENGE id 43 len 23 from "r5"
BR0:1 CHAP: Waiting for peer to authenticate first
BR0:1 CHAP: I RESPONSE id 27 len 23 from "r5"
BR0:1 CHAP: O SUCCESS id 27 len 4
BR0:1 CHAP: Processing saved Challenge, id 43
BR0:1 CHAP: O RESPONSE id 43 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 43 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: I CHALLENGE id 44 len 23 from "r5"
BR0:1 CHAP: O RESPONSE id 44 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 44 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Vi1 PPP:
Treating connection as a callout
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5
Here is R5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: O CHALLENGE id 43 len 23 from "r5"
BR0:1 CHAP: I CHALLENGE id 27 len 23 from "r2"
BR0:1 CHAP: O RESPONSE id 27 len 23 from "r5"
BR0:1 CHAP: I SUCCESS id 27 len 4
BR0:1 CHAP: I RESPONSE id 43 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 43 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: O CHALLENGE id 44 len 23 from "r5"
BR0:1 CHAP: I RESPONSE id 44 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 44 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Vi1 PPP:
Treating connection as a callin
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2
With the 'callin' option, R2 immediately challenges R5 (which is what is
instructed) then calls back and gets challenged by R5.
Am I interpretting this correctly?
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:50 GMT-3